Screen OS

I have a new ssg 20 that I have copied to it the working configuration from the netscreen 50 that is being replaced. All traffic outbound works correctly but all MIP inbound policies are failing.  I can ping the Phys address of the untrusted interface.

set clock ntp
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Blackberry TCP" protocol tcp src-port 0-65535 dst-port 3103-3103
set service "Block Ports" protocol tcp src-port 0-65535 dst-port 4444-4445
set service "Block Ports" + udp src-port 0-65535 dst-port 4444-4445
set service "Block Ports" + tcp src-port 0-65535 dst-port 3127-3128
set service "Block Ports" + udp src-port 0-65535 dst-port 111-112
set service "Block Ports" + tcp src-port 0-65535 dst-port 2745-2746
set service "Block Ports" + tcp src-port 0-65535 dst-port 2967-2967
set service "Block Ports" + tcp src-port 137-137 dst-port 137-137
set service "Block Ports" + udp src-port 137-137 dst-port 137-137
set service "Commontime" protocol udp src-port 0-65535 dst-port 605-605
set service "Commontime" + tcp src-port 0-65535 dst-port 605-605
set service "UltraVNC" protocol tcp src-port 0-65535 dst-port 5900-5900
set service "UltraVNC" + tcp src-port 0-65535 dst-port 5800-5800
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Xauth Server" id 1
set auth-server "Xauth Server" server-name "172.16.254.1"
set auth-server "Xauth Server" account-type auth xauth
set auth-server "Xauth Server" radius secret ""
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "administrator"
set admin password ""
set admin port 4428
set admin http redirect
set admin mail alert
set admin mail server-name "172.16.0.11"
set admin mail mail-addr1 "dclubb@slsc.org"
set admin mail mail-addr2 "tedney@slsc.org"
set admin mail traffic-log
set admin auth timeout 15
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen unknown-protocol
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen icmp-id
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen icmp-flood
set zone "V1-Untrust" screen udp-flood
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ip-spoofing
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "Untrust" screen ip-sweep threshold 30000
set zone "V1-Untrust" screen ip-sweep threshold 30000
set zone "Trust" screen limit-session source-ip-based 1000
set zone "Trust" screen limit-session destination-ip-based 1000
set interface ethernet0/1 phy full 100mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "ethernet0/2" zone "DMZ"
set interface "ethernet0/3" zone "Untrust"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
unset interface vlan1 ip
set interface ethernet0/1 ip 172.21.0.2/16
set interface ethernet0/1 nat
set interface ethernet0/2 ip 10.10.10.1/24
set interface ethernet0/2 route
set interface ethernet0/3 ip 96.35.141.2/26
set interface ethernet0/3 route
set interface ethernet0/3 gateway 96.35.141.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
unset interface ethernet0/1 manage telnet
unset interface ethernet0/1 manage snmp
set interface ethernet0/3 manage ping
set auth-server "Xauth Server" src-interface "ethernet0/1"
set interface "ethernet0/3" mip 96.35.141.11 host 172.16.254.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.5 host 172.20.0.1 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.10 host 172.16.0.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.15 host 172.16.0.150 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.60 host 172.16.0.60 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.18 host 172.16.254.18 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.3 host 172.19.3.10 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.4 host 172.19.12.12 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.17 host 172.16.254.17 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/3" mip 96.35.141.7 host 172.16.254.20 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set pak-poll p1queue pak-threshold 240
set pak-poll p2queue pak-threshold 80
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
unset console dbuf
set domain slsc.org
set hostname Archimedes
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn country-name "US"
set pki x509 dn state-name "Missouri"
set pki x509 dn local-name "St.Louis"
set pki x509 dn org-name "Saint Louis Science Center"
set pki x509 dn org-unit-name "Information Systems"
set pki x509 dn name "IS"
set pki x509 dn phone ""
set pki x509 dn email "dclubb@slsc.org"
set pki x509 default send-to "dclubb@slsc.org"
set dns host dns1 24.217.0.55 src-interface ethernet0/3
set dns host dns2 172.16.254.2 src-interface ethernet0/1
set dns host dns3 0.0.0.0
set dns host schedule 00:00
set address "Trust" "172.16.0.1/32" 172.16.0.1 255.255.255.255
set address "Trust" "172.16.254.25/32" 172.16.254.25 255.255.255.255
set address "Trust" "Barracuda" 172.21.0.3 255.255.255.255
set address "Trust" "Barracuda spyware FW" 172.21.0.3 255.255.255.255
set address "Trust" "Edison" 172.16.0.11 255.255.255.255 "Mail Server"
set address "Trust" "Internal ipaddress" 172.16.0.0 255.255.0.0
set address "Trust" "issupport" 172.16.0.7 255.255.255.255
set address "Trust" "Local Net" 172.16.0.0 255.255.0.0
set address "Trust" "Pasteur" 172.16.254.2 255.255.255.255
set address "Untrust" "Google Beta 3" www.desktop.google.com
set address "Untrust" "google toolbar beta" 64.233.179.93 255.255.255.255
set address "Untrust" "Google toolbar beta2" 64.233.179.91 255.255.255.255
set address "Untrust" "gotomypc.com" pole.gotomypc.com
set address "Untrust" "Lifehacker" www.lifehacker.com  "Per Tedndy"
set address "Untrust" "Mantis" 141.142.30.134 255.255.255.255
set address "Untrust" "My Space" myspace.com
set address "Untrust" "us bank" onlinebanker.usbank.com
set address "Global" "Barrucuda spyware" 172.21.0.3 255.255.255.255
set group address "Untrust" "My Spaces"
set group address "Untrust" "My Spaces" add "My Space"
set group address "Untrust" "TERC VNC"
set group service "barracuda in"
set group service "barracuda in" add "NTP"
set group service "barracuda in" add "SSH"
set group service "Barracuda out"
set group service "Barracuda out" add "DNS"
set group service "Barracuda out" add "HTTP"
set ippool "XauthIPpool2" 10.10.10.1 10.10.10.100
set user "clubbd" uid 2
set user "clubbd" ike-id u-fqdn "dclubb@slsc.org" share-limit 1
set user "clubbd" type  ike xauth
set user "clubbd" remote dns1 "172.16.254.2"
set user "clubbd" remote wins1 "172.16.0.1"
set user "clubbd" password ""
unset user "clubbd" type auth
set user "clubbd" "enable"
set user "edneyt" uid 4
set user "edneyt" ike-id u-fqdn "tedney@slsc.org" share-limit 1
set user "edneyt" type  ike xauth
set user "edneyt" remote ippool "XauthIPpool2"
set user "edneyt" remote dns1 "172.16.254.2"
set user "edneyt" remote wins1 "172.16.254.1"
set user "edneyt" password ""
unset user "edneyt" type auth
set user "edneyt" "enable"
set user "voegelim" uid 3
set user "voegelim" ike-id u-fqdn "mvoegeli@slsc.org" share-limit 1
set user "voegelim" type  ike xauth
set user "voegelim" remote ippool "XauthIPpool2"
set user "voegelim" remote dns1 "172.16.254.2"
set user "voegelim" remote wins1 "172.16.254.1"
set user "voegelim" password ""
unset user "voegelim" type auth
set user "voegelim" "enable"
set user-group "Domain Admins" id 1
set user-group "Domain Admins" location external
set user-group "Domain Admins" type auth xauth
set user-group "IS Admins" id 2
set user-group "IS Admins" user "clubbd"
set user-group "IS Admins" user "edneyt"
set user-group "IS Admins" user "voegelim"
set ike gateway "P1 Xauth Gateway" dialup "IS Admins" Aggr outgoing-interface "ethernet0/3" preshare "proposal "pre-g2-3des-sha"
unset ike gateway "P1 Xauth Gateway" nat-traversal udp-checksum
set ike gateway "P1 Xauth Gateway" nat-traversal keepalive-frequency 0
set ike gateway "P1 Xauth Gateway" xauth server "Xauth Server" user-group "Domain Admins"
unset ike gateway "P1 Xauth Gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth lifetime 5
set xauth default ippool "XauthIPpool2"
set xauth default dns1 172.16.254.2
set xauth default wins1 172.16.0.1
set vpn "P2 Xauth Ike" gateway "P1 Xauth Gateway" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default ppp-auth chap
set url protocol websense
set fail-mode permit
exit
set policy id 87 name "test" from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit log traffic
set policy id 87
exit
set policy id 80 name "IS_VPN" from "Trust" to "Untrust"  "Internal ipaddress" "Dial-Up VPN" "ANY" tunnel vpn "P2 Xauth Ike" id 4 pair-policy 79 Auth server "Xauth Server" user-group "Domain Admins" log
set policy id 80
exit
set policy id 79 name "IS_VPN" from "Untrust" to "Trust"  "Dial-Up VPN" "Internal ipaddress" "ANY" tunnel vpn "P2 Xauth Ike" id 4 pair-policy 80 Auth server "Xauth Server" user-group "Domain Admins" log
set policy id 79
exit
set policy id 68 name "LifeHacker" from "Trust" to "Untrust"  "Any" "Lifehacker" "ANY" deny log
set policy id 68 disable
set policy id 68
exit
set policy id 70 name "Block Telnet" from "Untrust" to "Trust"  "Any" "Any" "TELNET" deny log
set policy id 70
exit
set policy id 48 name "Blocked Ports" from "Untrust" to "Trust"  "Any" "Any" "Block Ports" deny log
set policy id 48
exit
set policy id 69 name "Blocked Ports" from "Trust" to "Untrust"  "Any" "Any" "Block Ports" deny log
set policy id 69
exit
set policy id 43 name "Block Telnet" from "Trust" to "Untrust"  "Any" "Any" "TELNET" deny log
set policy id 43 disable
set policy id 43
exit
set policy id 44 from "Trust" to "Untrust"  "Any" "Any" "IRC" deny log count traffic
set policy id 44
exit
set policy id 66 name "My Spaces" from "Trust" to "Untrust"  "Any" "My Space" "ANY" deny log
set policy id 66
exit
set policy id 57 name "gotomypc.com" from "Trust" to "Untrust"  "Any" "gotomypc.com" "TCP-ANY" deny log
set policy id 57
exit
set policy id 63 name "Google toolbar beta" from "Trust" to "Untrust"  "Any" "google toolbar beta" "ANY" deny log
set policy id 63
exit
set policy id 62 name "Google Beta" from "Trust" to "Untrust"  "Any" "Google toolbar beta2" "ANY" deny log
set policy id 62
exit
set policy id 64 name "Google toolbar Beta3" from "Trust" to "Untrust"  "Any" "Google Beta 3" "ANY" deny log
set policy id 64 disable
set policy id 64
exit
set policy id 4 name "Outside E-mail Access" from "Trust" to "Untrust"  "Edison" "Any" "HTTP" permit log
set policy id 4
exit
set policy id 54 name "US Bank" from "Trust" to "Untrust"  "Any" "us bank" "TCP-ANY" permit log
set policy id 54
exit
set policy id 60 name "Barracuda out" from "Trust" to "Untrust"  "Barracuda spyware FW" "Any" "Barracuda out" permit log
set policy id 60
exit
set policy id 85 name "Qualys" from "Trust" to "Untrust"  "172.16.0.1/32" "Any" "ANY" permit log
set policy id 85 disable
set policy id 85
exit
set policy id 0 name "Global Outbound Permit" from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit log count traffic priority 0
set policy id 0
exit
set policy id 75 name "TERC VNC Connection" from "Untrust" to "Trust"  "TERC VNC" "MIP(96.35.141.3)" "SSH" permit log count
set policy id 75 disable
set policy id 75
exit
set policy id 76 name "Polly Com" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.4)" "ANY" permit log count
set policy id 76 disable
set policy id 76
exit
set policy id 77 name "Engineering" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.5)" "UltraVNC" permit log count
set policy id 77
exit
set policy id 84 name "Quickr" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.7)" "HTTP" permit log
set policy id 84
exit
set policy id 83 name "Web Mail" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.10)" "HTTP" permit log
set policy id 83
exit
set policy id 82 name "In Bound Mail" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.11)" "MAIL" permit log count
set policy id 82
exit
set policy id 78 name "Commontime" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.17)" "Commontime" permit log count
set policy id 78
exit
set policy id 86 name "HTTPS for Edison" from "Untrust" to "Trust"  "Any" "MIP(96.35.141.10)" "HTTPS" permit
set policy id 86
exit
set syslog src-interface ethernet0/1
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level warning destination console
unset log module system level notification destination email
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set ssl encrypt 3des sha-1
set ntp server "172.16.254.2"
set ntp server src-interface "ethernet0/1"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 1
set ntp max-adjustment 3600
set wlan 0 channel auto
set wlan 1 channel auto
set snmp name "Archimedes"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.16.0.0/16 interface ethernet0/1 gateway 172.21.0.1
set route 172.20.0.0/16 interface ethernet0/1 gateway 172.21.0.1
set route 172.15.0.0/16 interface ethernet0/1 gateway 172.21.0.1
set route 172.19.0.0/16 interface ethernet0/1 gateway 172.21.0.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Hi

What is the output from:

Get route

Get mip

login as: administrator
administrator@172.21.0.2's password:
Remote Management Console
Archimedes-> get route

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent 😧 Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <trust-vr> (13 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
         11          0.0.0.0/0         eth0/0     96.35.141.1   C    0      1     Root
*         2     192.168.1.1/32        bgroup0         0.0.0.0   H    0      0     Root
          4     192.168.2.1/32    wireless0/0         0.0.0.0   H    0      0     Root
          3     192.168.2.0/24    wireless0/0         0.0.0.0   C    0      0     Root
          1     192.168.1.0/24        bgroup0         0.0.0.0   C    0      0     Root
*        14      172.15.0.0/16         eth0/1      172.21.0.1   S   20      1     Root
*        13      172.20.0.0/16         eth0/1      172.21.0.1   S   20      1     Root
*         7      172.21.0.0/16         eth0/1         0.0.0.0   C    0      0     Root
*         8      172.21.0.2/32         eth0/1         0.0.0.0   H    0      0     Root
*        12      172.16.0.0/16         eth0/1      172.21.0.1   S   20      1     Root
*        15      172.19.0.0/16         eth0/1      172.21.0.1   S   20      1     Root
*         6     96.35.141.2/32         eth0/0         0.0.0.0   H    0      0     Root
          5     96.35.141.0/26         eth0/0         0.0.0.0   C    0      0     Root

Archimedes->

Total MIPs under Root configured:10 Max:300.
--------------------------------------------------------------------------------
Map IP             Host IP         Interface   VRouter
--------------------------------------------------------------------------------
96.35.141.3/32     172.19.3.10     ethernet0/0 trust-vr
96.35.141.4/32     172.19.12.12    ethernet0/0 trust-vr
96.35.141.5/32     172.20.0.1      ethernet0/0 trust-vr
96.35.141.7/32     172.16.254.20   ethernet0/0 trust-vr
96.35.141.10/32    172.16.0.11     ethernet0/0 trust-vr
96.35.141.11/32    172.16.254.11   ethernet0/0 trust-vr
96.35.141.15/32    172.16.0.150    ethernet0/0 trust-vr
96.35.141.18/32    172.16.254.18   ethernet0/0 trust-vr
96.35.141.60/32    172.16.0.60     ethernet0/0 trust-vr
96.35.141.17/32    172.16.254.17   ethernet0/0 trust-vr

Thanks for you help....

Hi

You havent' a gateway of last resort(default gateway). This can be seenas there are no "*" in front of the 0.0.0.0 route, and it also uses the wrong interface.

I think this should do the trick.

unset interface ethernet0/0 zone Untrust
unset interface ethernet0/3 gateway 96.35.141.1
set vrouter trust-vr
set route 0.0.0.0/0 interface ethernet0/3 gateway 96.35.141.1

exit

Thanks you for your help, everything is working great.